File name:	41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe
Full analysis:	https://app.any.run/tasks/28a70d0e-e313-4bec-af64-39869ec54ebf
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 10, 2025, 20:39:53
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	amadey botnet stealer loader lumma themida auto stealc netreactor rdp
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	0A7F88A22AE393BE6AAF81E99911559E
SHA1:	618BD53DCB394611C6EE90199ABE534D40DD6958
SHA256:	41877F9E09AAE067DC58C6B1E29DA9D93F0773B742F1E59E6175FE57DDF052AE
SSDEEP:	98304:8+7IIYN3A1dUKW83me3qNNW0DVU3aNkHTdvqlG9ehlzEJAuufVuVHvzULQkHYJLP:VkTb8

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:07:25 12:10:38+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.24
CodeSize:	321024
InitializedDataSize:	104960
UninitializedDataSize:	-
EntryPoint:	0x32b000
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI


(PID) Process:	(5096) axplong.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5096) axplong.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5096) axplong.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2996) defnur.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2996) defnur.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2996) defnur.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(5316) 696969.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5316) 696969.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5316) 696969.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
1328	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_legs.exe_b69dcd31991ac936315188b4a52a885c5ebfec_fdf40bfd_e89d49c0-6286-4fc8-8731-48d80fc2740f\Report.wer		—
		MD5:—	SHA256:—
1328	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\legs.exe.4556.dmp		—
		MD5:—	SHA256:—
1348	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_696969.exe_b364b07473c6281ded8b432832f7dffc980d0_d85faf26_a2a88736-f325-4d53-a734-79623dcc16f2\Report.wer		—
		MD5:—	SHA256:—
5864	41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe	C:\Windows\Tasks\axplong.job		binary
		MD5:D446F281DFEBA704B5320A0013F90407	SHA256:14BC0492B14E482FD4D09B3AEA9CE72C69916C1FC623564FDED6F2AB82936503
1348	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER7937.tmp.WERInternalMetadata.xml		xml
		MD5:9F85756BC40FB67C90BFE818A56FA942	SHA256:12D4B97F3F2A2A4A747B436ED0CBBE17946B3592B156F7BFF95F0287C24367BF
1328	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA4F.tmp.xml		xml
		MD5:42A98A39F238CBFBF8A74E30EB2A2689	SHA256:2E3D1EE950A29A6335D59264D27032EA124CAA576B855734B8FC80977EDE6299
1348	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER7957.tmp.xml		xml
		MD5:DB3A89C4735CB811699283392606D07F	SHA256:1693DDE494D2C3CE8C61271A6576E1DD35F4E33AD0C1315154B0D773FE952836
1328	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA1F.tmp.WERInternalMetadata.xml		xml
		MD5:36BCF3516079CB45F21B95DD9A2CA12D	SHA256:292E3D4BC617BFFE1B10F5C93C3FF37D62513377FD8C83101FB4D10DEFD543C4
5096	axplong.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\696969[1].exe		executable
		MD5:89AD45B4A0E2D547C1E09D0A1EA94DF6	SHA256:18F4E82898557BA7F23F5B58E181793AEE6B9EE066258CE0B8FDBA63A714C4F8
1348	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER786A.tmp.dmp		binary
		MD5:D59E08BA2054F1B22DCD87BBEADC0B91	SHA256:5D7890348A8BD721786A97F5A78D7B0BFBBBA77850A96DEE9E279F98D714159E

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3296	svchost.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3296	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5096	axplong.exe	GET	200	185.215.113.16:80	http://185.215.113.16/inc/legs.exe	unknown	—	—	malicious
5096	axplong.exe	GET	200	185.215.113.16:80	http://185.215.113.16/test/am209.exe	unknown	—	—	malicious
5096	axplong.exe	POST	200	185.215.113.16:80	http://185.215.113.16/Jo89Ku7d/index.php	unknown	—	—	malicious
5096	axplong.exe	POST	200	185.215.113.16:80	http://185.215.113.16/Jo89Ku7d/index.php	unknown	—	—	malicious
5096	axplong.exe	POST	200	185.215.113.16:80	http://185.215.113.16/Jo89Ku7d/index.php	unknown	—	—	malicious
5316	696969.exe	GET	—	135.181.65.216:80	http://135.181.65.216/	unknown	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3296	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3296	svchost.exe	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3296	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
4712	MoUsoCoreWorker.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
4712	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5096	axplong.exe	185.215.113.16:80	—	1337team Limited	SC	malicious

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158	whitelisted
google.com	142.250.186.78	whitelisted
crl.microsoft.com	2.16.241.19 2.16.241.12	whitelisted
www.microsoft.com	2.23.246.101	whitelisted
pancakedipyps.click	—	malicious
nearycrepso.shop	—	malicious
abruptyopsn.shop	—	malicious
wholersorie.shop	—	malicious
framekgirus.shop	—	malicious
tirepublicerj.shop	—	malicious

PID	Process	Class	Message
5096	axplong.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 33
5096	axplong.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
5096	axplong.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
5096	axplong.exe	Misc activity	ET INFO Packed Executable Download
5096	axplong.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
5096	axplong.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
5096	axplong.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
5096	axplong.exe	A Network Trojan was detected	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
5096	axplong.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2192	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nearycrepso .shop)

Process	Message
41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------

General Info

41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe

0A7F88A22AE393BE6AAF81E99911559E

618BD53DCB394611C6EE90199ABE534D40DD6958

41877F9E09AAE067DC58C6B1E29DA9D93F0773B742F1E59E6175FE57DDF052AE

98304:8+7IIYN3A1dUKW83me3qNNW0DVU3aNkHTdvqlG9ehlzEJAuufVuVHvzULQkHYJLP:VkTb8

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

AMADEY mutex has been found

Connects to the CnC server

AMADEY has been detected (SURICATA)

AMADEY has been found (auto)

LUMMA has been detected (SURICATA)

AMADEY has been detected (YARA)

STEALER has been found (auto)

StealC has been detected

LUMMA mutex has been found

LUMMA has been detected (YARA)

STEALC has been detected (YARA)

Steals credentials from Web Browsers

Actions looks like stealing of personal data

SUSPICIOUS

Reads the BIOS version

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Starts itself from another location

Contacting a server suspected of hosting an CnC

Potential Corporate Privacy Violation

Connects to the server without a host name

Application launched itself

Process requests binary or script from the Internet

Executes application which crashes

Windows Defender mutex has been found

There is functionality for enable RDP (YARA)

The process executes via Task Scheduler

Searches for installed software

INFO

Checks supported languages

Sends debugging messages

Reads the computer name

Create files in a temporary directory

Process checks computer location settings

Checks proxy server information

The process uses the downloaded file

Creates files or folders in the user directory

Reads the software policy settings

Reads the machine GUID from the registry

Themida protector has been detected

.NET Reactor protector has been detected

Reads Environment values

Reads product name

Reads CPU info

Malware configuration

Amadey

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration